HIPAA and Mental Health Records: A Higher Standard

The best way to approach all medical records in relation to HIPAA and the HITECH Act is to analogize it to the universal safety precautions taken throughout a clinical care setting (i.e. washing hands, surgical preparation (cleansing, gloves, gown, mask and gloves, and sharps disposal). Universal precautions should be taken with all patients, regardless of the conditions they present with.

There may be times, however, when greater protection is needed. For example, if a patient has TB, a different type of mask is utilized, as well as a face shield and double gloves. Likewise, mental health records require greater protection. The reason is the sensitive and subjective nature of the information contained therein.

In general, the HIPAA Privacy Rule, with a few exceptions, provides the patient and an authorized individual the "right to review, inspect and receive a copy of the medical records and billing records that are held by health plans and healthcare providers covered by the Privacy Rule." One of the "few exceptions" relates to a provider’s psychotherapy notes. Psychotherapy notes are those taken by a mental health professional during the course of a conversation related to treatment with the patient and "are kept separate from the patient’s medical and billing records." Specific portions of the regulations related to psychotherapy records are 45 C.F.R. §§ 164.508, 164.524, and 164.526.

Section 164.524 specifically addresses access to an individual’s protected health information (PHI). While most of the information contained therein can be reviewed and obtained, exceptions apply to: (i) psychotherapy notes and (ii) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Section 168.508(a)(2) specifically addresses the authorization requirements related to psychotherapy notes. Although these notes are kept separate from a patient’s medical and billing records, they still can be used "to carry out treatment, payment, or healthcare operations" and used internally for training purposes or any legal proceeding.

With the increased penalties that were promulgated under the HITECH Act and the HIPAA Final Regulations, it is imperative that covered entities, business associates, and subcontractors utilize increased precautions. A breach including mental health information could cause significant harm to the person whose PHI is exposed; and, in turn, to the entity in the form of increased civil penalties and possible criminal penalties. State laws may also apply.